Types of Message Authentication Codes?
Although all MACs accomplish the same end objective, there are a few different types.
1. One-time MAC
A one-time MAC is a lot like one-time encryption in that a MAC algorithm for a single use is defined to secure the transmission of data. One-time MACs tend to be faster than other authentication algorithms.
2. Carter-Wegman MAC
A Carter-Wegman MAC is similar to a one-time MAC, except it also incorporates a pseudorandom function that makes it possible for a single key to be used many times over.
3. HMAC
With a Keyed-Hash Message Authentication Code (HMAC) system, a one-way hash is used to create a unique MAC value for every message sent. The input parameters can have various values assigned, and making them very different from each other may produce a higher level of security.
Approved Message Authentication Code Algorithms
The approved general-purpose MAC algorithms are HMAC, KECCAK Message Authentication Code (KMAC), and Cipher-based Method Authentication Code (CMAC). Message authentication in cryptography depends on hashes, which are used to verify the legitimacy of the transmission, ensuring the message has not been altered or otherwise corrupted since it was first transmitted by the sender.
Keyed-Hash Message Authentication Code (HMAC)
The HMAC is based on an approved hash function. It performs a function similar to that of the Rivest-Shamir-Adelman (RSA) cryptosystem, which is one of the oldest methods of sending data securely. The functions that can be used in HMAC are outlined in the following publications:
- FIPS 180-4, Secure Hash Standard
- FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
Guidelines regarding HMAC’s security are outlined in NIST SP 800-107 Revision 1, Recommendation for Applications Using Approved Hash Algorithms.
KECCAK Message Authentication Code (KMAC)
KMACs consist of keyed cryptographic algorithms, and their parameters are specified in FIPS 202,SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Two variants of KECCAK exist: KMAC256 and KMAC128.
The CMAC Mode for Authentication
As outlined in SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, CMAC is built using an approved block cipher, which is an algorithm that uses a symmetric encryption key, similar to the NIST’s Advanced Encryption Standard (AES), which also uses a symmetric key and was used to guard classified information by the U.S. government.
